How to create logical subnets with a single Lan interface without VLAN?
-
Derelict - Are you saying that putting the 3 switches in 3 separate VLANs will not work for isolating them from each other?
-
No. That absolutely will, providing one doesn't want different VLANs on the same unmanaged edge switch.
Nothing wrong with the attached config if you can tolerate unmanaged switches in your network.
-
Cool - You scared me for a minute. Occasionally my thinking gets a correction here…
Last time I thought I knew something absolutely for sure, I ended up getting punked by CMB. haha.
I'm not sure why OP is so opposed to VLANS, but what he said about the client computers being locked down gave me this idea:Assuming he is correct and the network is PHYSICALLY secure. No one can plug/unplug things and the machines are truly secured and no config changes can be made, he could just control what can and can not be accessed on each client machine's firewall. Seems to me the only other way to do it. Other than running 3 separate LAN NICs or VLANs.
I wouldn't recommend that though.
-
VLANs are far easier than maintaining the necessary MAC address lists. And since MACs can be easily spoofed, far more effective.
US$500 gets managed switches all around (cheap ones, but light years better than the proposed hack).
Dude doesn't want to listen and that's fine with me. I'm not the one on call when it blows up.
-
Even at $500 he would be doing himself a favor.
But seriously, for $30 to $50 he could get a VERY nice used managed gigabit switch with a ton of ports from someone on ebay who is upgrading to 10GB…
You think I make a habit of buying all new hardware? I'd be broke... I have stuff everywhere.
(I buy hardware for people with the condition to run my services on their bandwidth)
-
Hi,
Mac can be spoofed.. Even vlans are not secure. A determined person can still put a plug on vlan port can still gain access to the vlan. But Iam not going into this now. And its hard for me to convince my client to buy additional hardwares. He has been living with this network for years.
If my configuration will work, why is that I have problems when configuring gateway groups( load balancing) in pfsense. Is this a known issue with pfsense? Whennever I configure gateway groups, the first hop always goes to the wan router instead of my pfsense router. I believe it should be a simple routing issue. Not sure how to fix this. I am just new to pfsense.
Regards,
Raja -
You don't run multiple layer 3 over the same layer 2 - you do not do this, this is wrong.. I don't care what the client says. Why do they even think it is possible?? Let them setup their own network then - I wouldn't have anything to do with this. If they are so freaking cheap they wont spend pennies to get the correct hardware - they sure and the hell can not be paying you anything worth doing something this wrong!!
-
Is this a known issue with pfsense? Whennever I configure gateway groups, the first hop always goes to the wan router instead of my pfsense router. I believe it should be a simple routing issue. Not sure how to fix this. I am just new to pfsense.
No. It's a known issue with hokey, broken network design. All sorts of wacky crap will happen. Expect it.
-
Even vlans are not secure. A determined person can still put a plug on vlan port can still gain access to the vlan.
Umm, yes. Plug into an enabled port on the VLAN and you're on the VLAN. That's sort of the point. Controlling such access is a completely separate problem, which might be solved using 802.1x if that's what you're worried about. You'd need managed switches though. ;)
If you're talking about VLAN hopping I'll need to see an example with modern gear to believe it's still a viable hack.
-
No. It's a known issue with hokey, broken network design. All sorts of wacky crap will happen. Expect it.
Oh that made my morning!! Always good to start the day with a laugh!! ;) heheeheheh
-
Hello Derelict,
I agree that it may not be a standard way. But still when a feature is there why not exploit it?
Look at the advantage it has… You don't need additional switches and additional nic for subnets.
Regards,
RajaThat's not a feature, it's an undefined configuration that is highly recommended against. Kind of like people using a high or low IP address of a subnet. It can work in some setups, but expect strange stuff to happen.
